Secure Cross-Cloud Resource Access with Single User Identity

As cloud services over a network have become more commonplace, organizations are increasingly using multiple clouds. Respective clouds vary in security protections associated with users and data resources, ranging from public clouds with lower security protections to private clouds having more security protections. One similarity between different clouds is that they all manage distinct user identities. In order to access data or applications from a particular cloud, users traditionally must log in to that particular cloud separately.

It is with respect to these and other general considerations that the aspects disclosed herein have been made. In addition, although relatively specific problems may be discussed, it should be understood that the examples should not be limited to solving the specific problems identified in the background or elsewhere in this disclosure.

Aspects of the present disclosure relate to systems and methods for secure cross-cloud resource mapping between clouds having different security requirements, e.g., a public cloud and a private cloud. Upon receiving a request for establishing a two-way trust relationship, also referred to as a “cross-cloud relationship” or a “mutual trust relationship”, between a first tenant of a public cloud and a second tenant of a private cloud based on a cross-cloud mapping, embodiments authenticate and authorize the cross-cloud mapping based on user credentials associated with administrators of the public cloud and the private cloud. The authorization process further includes an evaluation of permission information, to determine if the tenant on the public cloud has adequate permission to access the service application (e.g., a virtual machine running a virtual desktop) in the second tenant in the private cloud. Once the cross-cloud mapping is established and the private cloud is on-board the public cloud for secure access, initiating the execution of service applications in the private cloud requires a user identity of the administrator of the public cloud. A two-way trust established between the first tenant of the public cloud and the second tenant of the private cloud enables application services to be operated in the private cloud based on a user identity for an end user of the tenant in the public cloud. That is, an end user of the private cloud who also has a user identity managed in the public cloud logs into the first tenant of the public cloud. When the end user of the private cloud needs to run an application service for accessing data resources in the private cloud, the end user further logs into the private cloud and uses a virtual desktop rendered by an application service being executed on a virtual machine executed in the second tenant of the private cloud.

This Summary is provided to introduce a selection of concepts in a simplified form, which is further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Additional aspects, features, and/or advantages of examples will be set forth in part in the following description and, in part, will be apparent from the description, or may be learned by practice of the disclosure.

Organizations around the world are increasingly moving to the cloud. As the adoption of cloud services grows, the complexity of the services and solutions in the cloud also grows, creating scenarios where a user must access more than one cloud, each of which varies in level of security and types of data resources stored. In some cases, services need to operate transparently across multiple clouds. The multi-cloud configuration has become a more complex and challenging security environment. Requiring users to use multiple user identities for accessing respective clouds increases operational burden upon the user and increases the risk of operational errors and compromises in security.

The complexities associated with accessing resources stored across clouds include the presence of distinct user identities for different clouds, remotely using application services that execute in another cloud, and remotely accessing data resources stored in another cloud. Traditional technologies include federating multiple instances of user directories into a single instance. Issues still remain in federating user directories because credentials for enabling execution of application services (e.g., a virtual machine executing a virtual desktop) may need to be authenticated and authorized separately from an access to data resources. The resulting single instance of the federated system may be complicated to set up and configure. Federating multiple instances of user directories may also lack established trust between clouds and thus may be unsuitable for a cross-cloud scenario where two clouds (e.g., a public cloud and a private cloud) have different security boundaries. Another traditional technology includes sharing applications and services of a tenant with guest users from other tenant(s). The sharing of applications and services often includes sending an explicit invitation and establishing a redemption process to be followed by individual guest users. Such traditional technology for accommodating guest users still lacks simplicity of usability for users who regularly use multiple clouds to execute service applications and to access data resources in the respective clouds.

As discussed in more detail below, embodiments described herein relate to systems and methods that enable users to access services associated with a private cloud using a single user identity to securely span from a public cloud to the private cloud. The disclosed technology is directed to allowing a user to continue using the user's user identity stored in the public cloud while having secure access to application services and data resources in the more restricted private cloud. In aspects, the disclosure creates and maintains a relationship between the public cloud and the private cloud by authenticating and authorizing administrator identities for both clouds and permission (e.g., a software license) for executing service applications in the private cloud. Once authenticated, the disclosed technology further maintains a mapping of a tenant in the private cloud to a tenant in the public cloud. The mapping of the tenant in the public cloud and tenant in the private cloud enables system administrators of the respective clouds to set up and configure the execution of service applications in respective clouds, while enabling end users of the private cloud tenant to access private cloud service applications through the public cloud.

In aspects, the disclosed technology leverages tokens associated with user directories that store user identities. Each token includes a variety of information associated with user identity, including a tenant identifier, an application identifier, and one or more roles associated with the administrator of the tenant of the cloud. Use of the token enables authentication and authorization of the administrator in order to create a mapping between tenants of different clouds and establish a two-way trust relationship.

Various aspects of the disclosure are described more fully below with reference to the accompanying drawings, which form a part hereof, and which show specific example aspects. However, different aspects of the disclosure may be implemented in many different ways and should not be construed as limited to the aspects set forth herein; rather, these aspects are provided so that this disclosure will be thorough, complete, and will fully convey the scope of the aspects to those skilled in the art. Practicing aspects may be as methods, systems, or devices. Accordingly, aspects may take the form of a hardware implementation, an entirely software implementation or an implementation combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.

1 FIG. 100 104 106 108 106 108 106 108 106 108 150 106 152 108 illustrates an overview of an example system of mapping across clouds (e.g., onboarding of a cloud) for secure cross-cloud resource access in accordance with aspects of the present disclosure. A systemincludes a client device, the public cloud, and the private cloud. In examples, the respective clouds may include one or more tenants. Each tenant includes one or more services. Each service includes one or more application executables. In examples, the public cloudis less restrictive than the private cloudin authenticating and authorizing execution of applications and access to data repositories. The public cloudand the private cloudare distinct clouds and manage distinct sets of user identities for end users. For simplicity, as shown, the public cloudand private cloudeach have only one associated tenant, i.e., a tenantin the public cloudand a tenantin the private cloud. The tenants are different and typically do not have a prior relationship, i.e., prior to the onboarding discussed herein. Also, those skilled in the art will appreciate that while only one tenant is shown in each cloud, the clouds may contain other tenants.

100 108 106 108 106 106 108 108 In examples, the systemperforms onboarding a tenant of the private cloudin the public cloud, wherein the onboarding generates a two-way trust relationship between the tenants. The onboarding includes mapping the tenant in the private cloudto a tenant in the public cloud, which process will be described in more detail below. Once the tenant mapping is created, the tenant mapping enables an end user of the tenant of the public cloudto use a virtual machine via a virtual desktop associated with tenant of the private cloudto access service applications and data resources in the private cloud.

106 110 112 114 116 118 110 106 112 112 114 116 106 118 106 The public cloudincludes user directory database, tenant graph application, graph database, other application executables, and location service. The user directory databasestores and maintains user identities of end users associated with the public cloud. The tenant graph applicationrepresents an executable that maintains a graph (not shown) wherein the graph describes relationships among tenants and clouds. The tenant graph applicationconnects to a graph databasethat stores the graph. The other application executablesinclude other applications, e.g., third party applications, available for execution in the public cloud. The location serviceis used in some embodiments of the present disclosure to identify a location of a remote service in another tenant of another cloud for connection to the public cloudas described below.

108 132 134 136 140 142 144 132 108 134 108 132 108 136 108 The private cloudincludes private tenant data repository, private user directory database, application executables, a tenant service, a mapping database, and additional services. The private tenant data repositorystores data resources in the private cloud. The private user directory databasestores and maintains user identities of end users associated with the private cloud. The private tenant data repositoryenforces access controls for users accessing the data resources according to the user identities of end users associated with the private cloud. The application executablesrepresent services applications to be executed in the private cloud.

140 108 140 106 108 142 106 144 108 136 140 The tenant serviceexecutes and maintains an application service in a tenant in the private cloud. The tenant servicefurther maintains a mapping between tenants in the public cloudand tenants in the private cloud. The mapping databasestores data associated with mapping the tenant with another tenant in the public cloud. The additional servicesrelate to other services in the private cloudthat are in addition to the application executablesand the tenant service.

104 102 106 102 108 104 110 106 102 106 104 134 108 102 108 With respect to the onboarding aspect of the present disclosure, the client devicereceives a combination of a user identity of an administratorA for the public cloudand a user identity of the administratorB for the private cloud. The client devicecommunicates with the user directory databaseof the public cloudfor authenticating the user identity of the administratorA for the public cloud. Similarly, the client devicecommunicates with the private user directory databasein the private cloudfor authenticating the user identity of the administratorB for the private cloud.

102 106 104 112 106 108 106 108 108 102 108 112 114 112 118 108 Upon authenticating the user identity of the administratorA for the public cloud, the client devicerequests the tenant graph applicationin the public cloudto identify a tenant in the private cloudand establish a mutual trust relationship, i.e., a two-way trust relationship between the tenant in the public cloudand the tenant in the private cloud. The request includes a name of the tenant in the private cloudand security credentials associated with the user identity of the administratorB of the private cloud. The tenant graph applicationretrieves tenant information from the graph database. The tenant graph applicationrequests the location serviceto connect to the identified tenant in the private cloud.

118 140 108 118 108 106 108 118 102 106 118 140 108 102 106 102 108 106 The location serviceconnects to the tenant serviceof the private cloud. The location serviceidentifies a location of the tenant in the private cloudand sends (e.g., redirects) a request establishing a two-way trust relationship between the tenant of the public cloudand the tenant of the private cloud. In an embodiment, the location serviceauthenticates and authorizes the user identity of the administratorA for the public cloud. Upon a successful completion of the authentication and authorization, the location servicesends the request to the tenant serviceof the private cloud. The request includes user credentials associated with the user identity of the administratorA of the public cloudand the user identity of the administratorB of the private cloud. The request further specifies an application service as an executable resource to be remotely accessed from the public cloud.

140 108 108 106 140 140 102 102 140 106 140 108 106 108 142 106 108 The tenant servicein the private cloudreceives the request for establishing the two-way trust relationship between the tenant in the private cloudand the tenant in the public cloud. The tenant serviceperforms authentication and authorization using the received user credentials. During authentication, the tenant servicevalidates both of the tokens associated with the respective administratorsA andB. In aspects, the tenant serviceconfirms whether the tenant in the public cloudhas a valid license or permission (e.g., an authorization) for executing a service application. For authorizing, the tenant servicevalidates both tokens, identifiers associated with application services to be executed in the private cloud, and the roles of both tenants (e.g., the tenant in the public cloudand the tenant in the private cloud) to enable a more fine-tuned authorization of specific resource and/or service access. The mapping databasestores the mapping between the tenant in the public cloudand the tenant in the private cloud.

100 106 108 102 106 102 108 108 108 106 106 108 108 As detailed above, the systemestablishes a mapping between a tenant in the public cloudand another tenant in the private cloud. Authorizing and authenticating associated with establishing the mapping are based on a pair of user identities associated with the administratorA of the public cloudand the administratorB of the private cloud. Once the mutual trust relationship (e.g., a two-way trust) is established, the present disclosure enables users of the tenant in the private cloudto initiate and use application services of the private cloud, in addition to the application services of the public cloud. In aspects, establishing the mutual trust relationship between the public cloudand the private cloudby mapping may be referred to as on-boarding of the private cloud.

1 FIG. 100 As will be appreciated, the various methods, devices, applications, features, etc., described with respect toare not intended to limit the systemto being performed by the particular applications and features described. Accordingly, additional controller configurations may be used to practice the methods and systems herein and/or features and applications described may be excluded without departing from the methods and systems disclosed herein.

2 FIG. 200 204 206 208 204 202 206 206 210 212 214 218 208 232 234 236 238 240 246 242 illustrates an overview of an example system of using clouds for secure cross-cloud resource access in accordance with aspects of the present disclosure. A systemincludes a client device, public cloud, and private cloud. The client devicemay be used by an administratorfor the public cloud. The public cloudincludes user directory database, tenant graph application, graph database, and a location service. The private cloudincludes private data repository, private user directory database, application executables, application service, tenant service, additional services, and mapping database.

208 202 206 208 238 208 240 240 1 FIG. After the onboarding of the private cloudas detailed in, the administratorof the public cloudis able to log in and execute operations of an application service associated with a tenant in the private cloud. The application servicein the private cloudidentifies a tenant serviceassociated with the tenant in the private cloud, based on the tenant mapping. The tenant servicethen operates on behalf of the mapped tenant in the public cloud.

210 206 212 214 212 206 208 218 238 208 208 In examples, the user directory databasestores and maintains user identities of users in the public cloudfor authentication. The tenant graph applicationmaintains graph data associated with tenants stored in other clouds in the graph database. Based on the graph data, the tenant graph applicationin the public cloudconnects with application services associated with a requested tenant in another cloud (e.g., the private cloud). The location serviceconnects with an application servicein the private cloudbased on given location information associated with a tenant in the private cloud.

208 252 250 206 208 208 232 234 236 238 240 242 246 1 FIG. The private cloudincludes a tenantthat has been mapped to a tenantin the public cloudbased on the onboarding of the private cloudas detailed in. The private cloudincludes private data repository, private user directory database, application executables, application service, tenant service, mapping database, and additional services.

238 208 208 238 240 240 242 206 The application servicereceives a request for initiating an application service in a tenant in the private cloud. The request includes information associated with the tenant to be connected with and application service(s) to be initiated in the private cloud. The application serviceconnects with the tenant serviceto initiate an application service as requested by the request. The tenant servicehas access to the mapping databasefor confirming the mapping between the tenant and a tenant in the public cloud.

202 206 212 214 208 212 218 238 208 218 206 238 202 206 204 After authenticating the administratorfor the public cloud, the tenant graph applicationaccesses the graph databaseand retrieves location information associated with a tenant in the private cloud. The tenant graph applicationrequests the location serviceto connect with application servicein the private cloud. The location serviceperforms a primary authentication and authorization associated with the tenant in the public cloud. Upon successful authentication and authorization, the location service redirects the request to the application serviceto perform operations as requested by the administratorfor the public cloudusing the client device.

238 218 208 238 208 242 240 238 232 208 The application servicereceives the request from the location serviceto start an application service in a tenant that is mapped in the private cloud. The application serviceretrieves information associated with the mapped tenant in the private cloudby accessing the mapping databasethrough the tenant service. The application servicefurther enables access to the private data repositoryby using an identity of the tenant in the private cloud.

2 FIG. 200 As will be appreciated, the various methods, devices, applications, features, etc., described with respect toare not intended to limit the systemto being performed by the particular applications and features described. Accordingly, additional controller configurations may be used to practice the methods and systems herein and/or features and applications described may be excluded without departing from the methods and systems disclosed herein.

3 FIG. 300 304 306 308 204 302 308 302 302 308 306 illustrates an overview of an example system of an end user accessing secure cross-cloud resources in accordance with aspects of the present disclosure. A systemincludes a client device, public cloud, and private cloud. The client deviceis used by end userof private cloud. In examples, the end useris an end user in a cross-cloud scenario where the end user also uses a user identity associated with a public cloud. In such examples, the end userof the private cloudsecurely accesses, through the public cloud, resources (e.g., application services and data resources) that are securely stored in a private cloud with more restricted access controls.

310 206 312 304 302 308 308 206 312 314 360 206 362 208 318 The user directory databasestores and maintains identities and credentials of users of the public cloud. The web portalprovides a portal function to the client deviceand enables the end userof the private cloudto access application services and data resources of the private cloudthrough the public cloud. The web portalaccesses the graph database, which stores at least one relationship between tenantin the public cloudand tenantin the private cloudas graph data. The location serviceidentifies locations of tenants in other clouds.

308 332 334 354 354 352 The private cloudincludes private data repository, private user directory database, and application executable. The application executableincludes virtual machinefor executing application services including a virtual desktop.

304 302 308 304 304 312 306 304 308 304 302 306 302 306 302 308 312 308 In examples, the client devicereceives an identity and credentials of an end userof the private cloud. The client device(e.g., via an executable of a browser application executing in the client device) communicates with the web portalof the public cloudfor logging in the end user. The client devicerequests launching a virtual desktop associated with a tenant in the private cloud. The client deviceretrieves an authentication token of the end userin the public cloud. In particular, the end userof a tenant of a private cloud uses a user identity associated with the public cloudfirst. The end userthen logs into the private cloudthrough the web portalusing another user identity associated with the private cloudfor accessing the resources (e.g., both application services and data resources) that are securely stored in a private cloud with more restricted access controls.

304 312 312 306 308 314 312 308 318 312 350 308 354 The client devicetransmits a request for initiating and operating the virtual desktop to the web portal. The web portalretrieves credential data of the user identity associated with the public cloudfrom the user directory database and an identity of the tenant in the private cloudfrom the graph database. The web portalfurther retrieves location information of the tenant in the private cloudfrom the location service. The web portalrequests the tenant application serviceof the private cloudto initiate the virtual desktop using a virtual machine executing the application executable.

350 308 352 350 354 352 350 346 312 346 The tenant application servicein the private cloudretrieves information associated with the virtual machinewith the virtual desktop. In aspects, the tenant application serviceinitiates the application executablethat executes the virtual machinewhere the virtual desktop runs. The tenant application servicemay initiate additional serviceswhen the request from the web portalincludes initiating the additional services.

354 352 354 232 302 308 The application executableexecutes a virtual machinethat may further execute the virtual desktop. The application executableenables the virtual desktop to access the private data repositoryusing credentials of a user identity of the end userof the private cloud.

3 FIG. 300 As will be appreciated, the various methods, devices, applications, features, etc., described with respect toare not intended to limit the systemto being performed by the particular applications and features described. Accordingly, additional controller configurations may be used to practice the methods and systems herein and/or features and applications described may be excluded without departing from the methods and systems disclosed herein.

4 FIG. 1 FIG. 1 FIG. 1 FIG. 400 402 402 404 402 406 402 104 102 306 102 308 402 410 412 410 illustrates an example graphical user interface in accordance with aspects of the present disclosure. The graphical user interfaceincludes a windowthat displays an on-boarding request window used to initiate an onboarding or mapping of a tenant in another cloud. The windowincludes an input and/or selection fieldfor specifying a name of another cloud. The windowfurther includes another input and/or selection fieldfor specifying a name of a tenant in the cloud for the onboarding. In examples, the disclosure displays the windowon a client device (e.g., the client deviceas shown in) after the administrator provides user identities associated with both the administrator of the public cloud and the administrator for the private cloud (e.g., the administratorA for the public cloudand the administratorB for the private cloudas shown in). The windowfurther includes selection buttons of “Onboard”button and “Cancel”button. Receiving a selection of the “Onboard”button triggers the client device to transmit a request to the tenant graph to proceed with the onboarding process, as detailed in. In other embodiments, other information may be requested or received to enable the onboarding.

5 FIG.A 5 FIG.A 5 FIG.A 1 2 3 4 5 5 6 7 FIGS.,,,,B-E,, andA 500 500 502 500 500 500 500 illustrates an example of methods of establishing a cross-cloud mapping and accessing resources in a private cloud for a secure cross-cloud resource access in accordance with aspects of the present disclosure. A general order of the onboarding operations for the methodA is shown in. Generally, the methodA begins with start operation. The methodA may include more or fewer steps or may arrange the order of the steps differently than those shown in. The methodA can be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer readable medium. Further, the methodA can be performed by gates or circuits associated with a processor, an ASIC, an FPGA, a SOC or other hardware device. Hereinafter, the methodA shall be explained with reference to the systems, components, devices, modules, software, data structures, data characteristic representations, signaling diagrams, methods, etc., described in conjunction with-B.

502 500 504 1 FIG. Following start operation, the methodA begins with generate operation, in which a mapping between a tenant in a public cloud and another tenant in a private cloud is generated as an onboarding process. Detailed processes of the onboarding including establishing the mapping based on user identities of the administrators for the public cloud and the private cloud as detailed in.

506 506 2 FIG. At enable operation, an application service in the mapped tenant in the private cloud is enabled to perform operations in the private cloud. Once enabled, the application service in the private cloud may initiate an application executable in the tenant in the private cloud in response to a request from the tenant in the public cloud. In examples, the enable operationincludes receiving a user identity of the administrator of the public cloud to use the established cross-domain mapping, as detailed in.

508 500 510 3 FIG. At launch operation, the application service in the private cloud is launched based a request from the end user of the private cloud. The application service executes an application executable that executes an instance of a virtual machine that executes a virtual desktop. The virtual desktop enables the end user to operate applications executed in the private cloud and accessing data resources stored in the private cloud, as detailed in. The methodA ends with the end operation.

502 510 As should be appreciated, operations-are described for purposes of illustrating the present methods and systems and are not intended to limit the disclosure to a particular sequence of steps, e.g., steps may be performed in different order, additional steps may be performed, and disclosed steps may be excluded without departing from the present disclosure.

5 FIG.B 5 FIG.B 5 FIG.B 1 2 3 4 5 5 5 6 7 FIGS.,,,,A,C-E,, andA 500 500 520 500 500 500 500 illustrates an example of methods of establishing a cross-cloud mapping for secure cross-cloud resource access (e.g., onboarding) in accordance with aspects of the present disclosure. A general order of the operations for the methodB for enabling usage of an application service across clouds is shown in. Generally, the methodB begins with start operation. The methodB may include more or fewer steps or may arrange the order of the steps differently than those shown in. The methodB can be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer readable medium. Further, the methodB can be performed by gates or circuits associated with a processor, an ASIC, an FPGA, a SOC or other hardware device. Hereinafter, the methodB shall be explained with reference to the systems, components, devices, modules, software, data structures, data characteristic representations, signaling diagrams, methods, etc., described in conjunction with-B.

520 500 522 Following start operation, the methodB begins with receive a bearer token operation, which receives a bearer token associated with the public cloud. The bearer token is based on a user identity of an administrator for the public cloud interactively received by a client device.

524 At receive a directory service token operation, a directory service token associated with the private cloud is received. The directory service token is based on a user identity of an administrator for the private cloud interactively received by the client device.

526 526 At insert operation, a tenant mapping is inserted in a graph database in the public cloud by a graph application. The tenant mapping is based on the bearer token and the directory service token. In aspects, the insert operationincludes calling an application programming interface (API) to add a cross-cloud organization mapping in a graph database based on a combined credentials of the administrator for the public cloud and the administrator for the private cloud.

528 At request operation, a request is made by a location service in the public cloud to a tenant service in the private cloud for authenticating and authorizing the cross-cloud tenant mapping. The authentication includes validating both the bearer token of the public cloud and the directory service token of the private cloud.

530 At authenticate and authorize operation, the cross-cloud mapping is authenticated and authorized. The authentication may further include determining whether the requesting tenant in the public cloud has a license or permission to execute the application service. The authorization may include checking whether the both tokens are valid, and checking whether identifiers of the application services for both tokens are valid. The authorization may further include whether roles of the administrators of both the public cloud and the private clouds satisfy a set of predetermined conditions associated with authorized roles in accessing and using resources in the private cloud.

532 At update operation, a mapping database in the private cloud is updated based on the cross-cloud tenant mapping according to the successful authentication and authorization. The cross-cloud mapping indicates a two-way trust between the requesting tenant in the public cloud and the tenant in the private tenant.

534 530 534 At receive operation, a successful completion status of the cross-cloud tenant mapping is received from the tenant service in the private cloud by the location service in the public cloud. When the authenticate and authorize operationresults in a failure in either or both of the authentication and authorization, the receive operationreceives an error status, failing to establish the cross-cloud mapping.

534 500 538 At indicate operation, the completion status of the cross-cloud tenant mapping process is indicated on the client device. In examples, the client device displays the completion status on its display. The methodB ends with the end operation.

520 538 As should be appreciated, operations-are described for purposes of illustrating the present methods and systems and are not intended to limit the disclosure to a particular sequence of steps, e.g., steps may be performed in different order, additional steps may be performed, and disclosed steps may be excluded without departing from the present disclosure.

5 FIG.C 5 FIG.C 5 FIG.C 1 2 3 4 5 FIGS.,,,,A 500 500 550 500 500 500 500 5 5 6 7 illustrates an example of methods of using a cross-cloud mapping of tenants for accessing secure cross-cloud resources in accordance with aspects of the present disclosure. A general order of the operations for the methodC for enabling usage of an application service across clouds is shown in. Generally, the methodC begins with start operation. The methodC may include more or fewer steps or may arrange the order of the steps differently than those shown in. The methodC can be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer readable medium. Further, the methodC can be performed by gates or circuits associated with a processor, an ASIC, an FPGA, a SOC or other hardware device. Hereinafter, the methodC shall be explained with reference to the systems, components, devices, modules, software, data structures, data characteristic representations, signaling diagrams, methods, etc., described in conjunction with-B,D-E,, andA-B.

550 500 552 5 FIG.B Following start operation, the methodC begins with receive operation, in which a request for executing operations in the private cloud is received by the public cloud. In particular, the request includes executing operations using an application service in a tenant in the private cloud, which cross-mapping has been established as detailed in. In aspects, the request for the operations is received from a client device used by the administrator of the public cloud using a user identity of the administrator of the public cloud.

554 554 At retrieve operation, an authentication token of the tenant in the public cloud is retrieved from a user directory database in the public cloud. The retrieve operationretrieves the token based on the user identify of the administrator for the public cloud.

556 112 556 1 FIG. At receive operation, a request for a tenant graph application (e.g., the tenant graph applicationas shown in) to connect to a location service is received in the public cloud. In aspects, the receive operationreceives the request from the client device used by the administrator of the public cloud.

558 558 At connect operation, the graph application connects with the location service. In aspects, the connect operationincludes the tenant graph application in the public cloud calling a location service application programming interface (API) to connect to the location service in the public cloud.

560 At authenticate and authorize the public cloud tenant operation, the requested access to the private cloud from the public cloud is authenticated and authorized by the location service in the public cloud. In aspects, the location service authenticates and authorizes the requesting tenant in the public cloud based on a user identity the administrator for the public cloud. Upon a successful authentication and authorization, the location service in the public cloud redirects the request for access to an application service in the private cloud for further authentication and authorization.

562 At retrieve operation, a tenant in the private cloud, which is mapped with the requesting tenant in the public cloud, is retrieved from the mapping database as a cross-cloud mapped tenant in the private cloud. The mapping database in the private cloud stores and maintains data that map a tenant in the public cloud and a tenant in the private cloud as a cross-tenant mapping.

564 At access operation, data resources in the private cloud are accessed by the application service in the private cloud. The access to the data resources in the private cloud is based on an identity of the mapped tenant of the private cloud.

566 500 568 At perform operation, the requested operation for accessing data resources in the private cloud is performed. A result of the operation is transmitted to the public cloud in response to the request for performing the operations. The response indicates whether the operation was successful. The methodC ends with an end operation.

550 568 As should be appreciated, operations-are described for purposes of illustrating the present methods and systems and are not intended to limit the disclosure to a particular sequence of steps, e.g., steps may be performed in different order, additional steps may be performed, and disclosed steps may be excluded without departing from the present disclosure.

5 FIG.D 5 FIG.D 5 FIG.D 1 2 3 4 5 5 5 6 7 FIGS.,,,,A-C,E,, andA 500 500 570 500 500 500 500 illustrates an example of method for an end user accessing secure cross-cloud resources in accordance with aspects of the present disclosure. A general order of the operations for the methodD for an end user operating an application and accessing resources across clouds is shown in. Generally, the methodD begins with start operation. The methodD may include more or fewer steps or may arrange the order of the steps differently than those shown in. The methodD can be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer readable medium. Further, the methodD can be performed by gates or circuits associated with a processor, an ASIC, an FPGA, a SOC or other hardware device. Hereinafter, the methodD shall be explained with reference to the systems, components, devices, modules, software, data structures, data characteristic representations, signaling diagrams, methods, etc., described in conjunction with-B.

570 500 572 Following start operation, the methodD begins with receive operation, in which a request for starting a virtual desktop to access the private cloud is received. The request is interactively entered in a computing device by an end user of a private cloud. A user identity is of the end user is also stored in a public cloud to log in to the public cloud. The public cloud uses the user identity of the end user stored in the public cloud to redirect a request to start a virtual desktop in the private cloud. The end user of a tenant of a private cloud uses a user identity associated with the public cloud to start using the virtual desktop while using a user identity associated with the private cloud to access data resources that are securely stored in the private cloud.

574 At retrieve operation, an authentication token is retrieved from a user directory in the public cloud. The authentication token is based on credentials of the end user whose user identities are managed in the public cloud.

576 At connect operation, the client device and a web portal in the tenant of the public cloud is connected. In examples, the client device displays an entry screen of the web portal.

578 At retrieve location data operation, location data is retrieved for accessing a tenant mapped in the private cloud. In examples, the location data include a name of tenant, a name of the private cloud, an address of the tenant, and the like.

580 At request operation, a connection of a virtual desktop in the cross-cloud mapped tenant in the private cloud to the public cloud is requested by the web portal.

582 At display operation, a virtual desktop, which runs on a virtual machine that is executed in the private cloud, is displayed on the client device. The virtual desktop enables the end user use service applications that are executed in in the mapped tenant of the private cloud through the public cloud.

584 At receiving a request to log into the private cloud operation, a login request to login the end user to the private cloud is received. The end user enters user credentials for accessing the private cloud and use data resources that are stored in the private cloud.

586 500 588 At receive operation commands operation, an operation command is received for accessing data resources in the mapped tenant in the private cloud. In aspects the end user operates the service applications running in the virtual desktop and accesses data resources stored in the private cloud. The methodD ends with an end operation.

570 588 As should be appreciated, operations-are described for purposes of illustrating the present methods and systems and are not intended to limit the disclosure to a particular sequence of steps, e.g., steps may be performed in different order, additional steps may be performed, and disclosed steps may be excluded without departing from the present disclosure.

5 FIG.E 5 FIG.E 5 FIG.E 1 2 3 4 5 5 6 7 FIGS.,,,,A-D,, andA 500 500 590 500 500 500 500 illustrates an example of methods of releasing the established mapping (e.g., offboarding the mapped tenant) from secure cross-cloud resource access in accordance with aspects of the present disclosure. A general order of the operations for the methodE for offboarding a tenant is shown in. Generally, the methodE begins with start operation. The methodE may include more or fewer steps or may arrange the order of the steps differently than those shown in. The methodE can be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer readable medium. Further, the methodE can be performed by gates or circuits associated with a processor, an ASIC, an FPGA, a SOC or other hardware device. Hereinafter, the methodE shall be explained with reference to the systems, components, devices, modules, software, data structures, data characteristic representations, signaling diagrams, methods, etc., described in conjunction with-B.

590 500 592 Following start operation, the methodE begins with receive operation, in which a request to offboard a mapped tenant. In aspects, the mapped tenant is a cross-cloud mapped tenant in the private cloud. The request may be received via a web portal in the public cloud from the client device. The request may be received from the administrator for the public cloud, for example.

594 At remove operation, the tenant mapping is removed from the mapping database in the private cloud. Once the tenant mapping is removed, the end user of the private cloud can no longer use a virtual desktop accessing the virtual machine of a tenant application in the private cloud through the public cloud.

596 500 598 At transmit operation, an updated status of cross-cloud tenant mapping after removing the tenant mapping is transmitted to the client device. The updated status is transmitted to the client device in response to receiving the request to off-board the mapped tenant. The methodE ends with end operation.

590 598 As should be appreciated, operations-are described for purposes of illustrating the present methods and systems and are not intended to limit the disclosure to a particular sequence of steps, e.g., steps may be performed in different order, additional steps may be performed, and disclosed steps may be excluded without departing from the present disclosure.

6 FIG. 6 FIG. 6 FIG. 600 600 602 604 604 604 605 606 605 600 608 600 600 609 610 is a block diagram illustrating physical components (e.g., hardware) of a computing devicewith which aspects of the disclosure may be practiced. The computing device components described below may be suitable for the computing devices described above. In a basic configuration, the computing devicemay include at least one processing unitand a system memory. Depending on the configuration and type of computing device, the system memorymay comprise, but is not limited to, volatile storage (e.g., random access memory), non-volatile storage (e.g., read-only memory), flash memory, or any combination of such memories. The system memorymay include an operating systemand one or more program toolssuitable for performing the various aspects disclosed herein such. The operating system, for example, may be suitable for controlling the operation of the computing device. Furthermore, aspects of the disclosure may be practiced in conjunction with a graphics library, other operating systems, or any other application program and is not limited to any particular application or system. This basic configuration is illustrated inby those components within a dashed line. The computing devicemay have additional features or functionality. For example, the computing devicemay also include additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Such additional storage is illustrated inby a removable storage deviceand a non-removable storage device.

604 602 606 620 620 630 632 634 636 638 640 1 FIG. As stated above, a number of program tools and data files may be stored in the system memory. While executing on the at least one processing unit, the program tools(e.g., an application) may perform processes including, but not limited to, the aspects, as described herein. The applicationincludes directory for public cloud, directory for private cloud, tenant graph, location service, application service, and private tenant serviceas described in more details in. Other program tools that may be used in accordance with aspects of the present disclosure may include electronic mail and contacts applications, word processing applications, spreadsheet applications, database applications, slide presentation applications, drawing or computer-aided application programs, etc.

6 FIG. 600 Furthermore, aspects of the disclosure may be practiced in an electrical circuit comprising discrete electronic elements, packaged or integrated electronic chips containing logic gates, a circuit utilizing a microprocessor, or on a single chip containing electronic elements or microprocessors. For example, aspects of the disclosure may be practiced via a system-on-a-chip (SOC) where each or many of the components illustrated inmay be integrated onto a single integrated circuit. Such an SOC device may include one or more processing units, graphics units, communications units, system virtualization units, and various application functionality all of which are integrated (or “burned”) onto the chip substrate as a single integrated circuit. When operating via an SOC, the functionality, described herein, with respect to the capability of client to switch protocols may be operated via application-specific logic integrated with other components of the computing deviceon the single integrated circuit (chip). Aspects of the disclosure may also be practiced using other technologies capable of performing logical operations such as, for example, AND, OR, and NOT, including but not limited to mechanical, optical, fluidic, and quantum technologies. In addition, aspects of the disclosure may be practiced within a general-purpose computer or in any other circuits or systems.

600 612 614 600 616 650 616 The computing devicemay also have one or more input device(s), such as a keyboard, a mouse, a pen, a sound or voice input device, a touch or swipe input device, etc. The output device(s)such as a display, speakers, a printer, etc. may also be included. The aforementioned devices are examples and others may be used. The computing devicemay include one or more communication connectionsallowing communications with other computing devices. Examples of the communication connectionsinclude, but are not limited to, radio frequency (RF) transmitter, receiver, and/or transceiver circuitry; universal serial bus (USB), parallel, and/or serial ports.

604 609 610 600 600 The term computer readable media as used herein may include computer storage media. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, or program tools. The system memory, the removable storage device, and the non-removable storage deviceare all computer storage media examples (e.g., memory storage). Computer storage media may include RAM, ROM, electrically erasable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other article of manufacture which can be used to store information, and which can be accessed by the computing device. Any such computer storage media may be part of the computing device. Computer storage media does not include a carrier wave or other propagated or modulated data signal.

Communication media may be embodied by computer readable instructions, data structures, program tools, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and includes any information delivery media. The term “modulated data signal” may describe a signal that has one or more characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), infrared, and other wireless media.

7 FIG. 1 FIG. 104 106 108 702 is a block diagram illustrating the architecture of one aspect of computing device (e.g., the client device), a server (e.g., the public cloudand the private cloudas shown in), and the like. The systemcan be integrated as a computing device.

766 762 764 702 768 762 768 702 766 768 702 769 762 One or more application programsmay be loaded into the memoryand run on or in association with the operating system. Examples of the application programs include phone dialer programs, e-mail programs, information management (PIM) programs, word processing programs, spreadsheet programs, Internet browser programs, messaging programs, and so forth. The systemalso includes a non-volatile storage areawithin the memory. The non-volatile storage areamay be used to store persistent information that should not be lost if the systemis powered down. The application programsmay use and store information in the non-volatile storage area, such as e-mail or other messages used by an e-mail application, and the like. A synchronization application (not shown) also resides on the systemand is programmed to interact with a corresponding synchronization application resident on a host computer to keep the information stored in the non-volatile storagesynchronized with corresponding information stored at the host computer. As should be appreciated, other applications may be loaded into the memoryand run on the computing device described herein.

702 770 770 The systemhas a power supply, which may be implemented as one or more batteries. The power supplymight further include an external power source, such as an AC adapter or a powered docking cradle that supplements or recharges the batteries.

702 772 772 702 772 764 772 766 764 The systemmay also include a radio interface layerthat performs the function of transmitting and receiving radio frequency communications. The radio interface layerfacilitates wireless connectivity between the systemand the “outside world” via a communications carrier or service provider. Transmissions to and from the radio interface layerare conducted under control of the operating system. In other words, communications received by the radio interface layermay be disseminated to the application programsvia the operating system, and vice versa.

720 774 725 720 725 770 760 774 725 774 702 776 730 The visual indicator(e.g., LED) may be used to provide visual notifications, and/or an audio interfacemay be used for producing audible notifications via the audio transducer. In the illustrated configuration, the visual indicatoris a light emitting diode (LED) and the audio transduceris a speaker. These devices may be directly coupled to the power supplyso that when activated, they remain on for a duration dictated by the notification mechanism even though the processorand other components might shut down for conserving battery power. The LED may be programmed to remain on indefinitely until the user takes action to indicate the powered-on status of the device. The audio interfaceis used to provide audible signals to and receive audible signals from the user. For example, in addition to being coupled to the audio transducer, the audio interfacemay also be coupled to a microphone to receive audible input, such as to facilitate a telephone conversation. In accordance with aspects of the present disclosure, the microphone may also serve as an audio sensor to facilitate control of notifications, as will be described below. The systemmay further include a video interfacethat enables an operation of devices connected to a peripheral device portto record still images, video stream, and the like.

702 768 7 FIG. The computing device implementing the systemmay have additional features or functionality. For example, the computing device may also include additional data storage devices (removable and/or non-removable) such as, magnetic disks, optical disks, or tape. Such additional storage is illustrated inby the non-volatile storage area.

702 772 772 Data/information generated or captured by the computing device and stored via the systemmay be stored locally on the computing device, as described above, or the data may be stored on any number of storage media that may be accessed by the device via the radio interface layeror via a wired connection between the computing device and a separate computing device associated with the computing device, for example, a server computer in a distributed computing network, such as the Internet. As should be appreciated such data/information may be accessed via the computing device via the radio interface layeror via a distributed computing network. Similarly, such data/information may be readily transferred between computing devices for storage and use according to well-known data/information transfer and storage means, including electronic mail and collaborative data/information sharing systems.

The present disclosure relates to systems and methods of creating a cross-cloud relationship. A method comprises receiving, by a first cloud, a request to onboard a second cloud to create a cross-cloud relationship, wherein the request includes a first token associated with a first tenant in the first cloud, and a second token associated with a second tenant in the second cloud, wherein the second tenant is distinct from the first tenant, and the second cloud is distinct from the first cloud; transmitting an authentication request for authenticating the cross-cloud relationship to the second tenant, wherein the request includes the first token, the second token, and tenant information associated with the first tenant; receiving authentication result data from the second tenant; transmitting an authorization request for authorizing the cross-cloud relationship to the second tenant; receiving authorization result data from the second tenant; creating a mapping entry between the first tenant and the second tenant; and storing the mapping entry in a graph database in the first cloud. The first token comprises a first tenant identifier associated with the first tenant in the first cloud, a first application identifier, and a role setting associated with the first user, and wherein the second token the second token comprises a tenant identifier associated with the second tenant in the second cloud, a second application identifier, and a role setting associated with the second use. The authentication result data from the second tenant includes a result of authenticating the second user as an administrator associated with the second tenant in the second cloud. The first cloud includes a public cloud, and the second cloud includes a private cloud. The authentication result data comprises a result of validating the first token and the second token, and a result of validating an authentication of the first tenant in the first cloud for launching operation of an application. The mapping entry represents the cross-cloud relationship between the first tenant in a public cloud and the second tenant in a private cloud. The authorization result data include a result of validating the first token and the second token, a result of validating an identifier associated with an application service to be executed in the second tenant in the second cloud, and a result of validating roles associated with the first tenant in the first cloud and the second tenant in the second cloud. The first token is based on first credential data and the second token is based second credential data, and wherein the first credential data and the second credential data are distinct.

Another aspect of the technology relates to a system for creating a cross-cloud relationship between tenants for secure cross-cloud access. The system comprises a processor configured to execute a method comprising receiving, by a first cloud, a request to onboard a second cloud wherein the request includes a first token associated with a first tenant in the first cloud, and a second token associated with a second tenant in the second cloud, wherein the second tenant is distinct from the first tenant, and the second cloud is distinct from the first cloud; transmitting an authentication request for authenticating the cross-cloud relationship to the second tenant, wherein the request includes the first token, the second token, and tenant information associated with the first tenant; receiving authentication result data from the second tenant; transmitting an authorization request for authorizing the cross-cloud relationship to the second tenant, wherein the request includes the first token, the second token, and tenant information associated with the first tenant; receiving authorization result data from the second tenant; create a mapping entry between the first tenant and the second tenant; and storing the mapping entry in a graph database in the first cloud. The first token comprises a first tenant identifier associated with the first tenant in the first cloud, a first application identifier, and a role setting associated with the first user; and wherein the second token comprises a tenant identifier associated with the second tenant in the second cloud, a second application identifier, and a role setting associated with the second use. The authorization result data from the second tenant include a result of authenticating the second user as an administrator associated with the second tenant in the second cloud. The first cloud includes a public cloud, and the second cloud includes a private cloud. The first credential data and the second credential data are distinct. The processor is further configured to execute a method comprising causing a launch of operating a virtual machine in the second tenant in the second cloud, wherein the virtual machine executes an application in a virtual desktop; and causing display of the virtual desktop associated with the virtual machine for interactively operating the application and accessing data resources in the second tenant in the second cloud. The mapping represents a two-way trust between the first tenant in a public cloud and the second tenant in a private cloud.

In still further aspects, the technology relates to a method for creating cross-cloud relationship between a first tenant in a first cloud and a second tenant in a second cloud for accessing the second tenant in the second cloud from the first tenant in the first tenant. The method comprises receiving, by the second tenant in the second cloud, a request for a login by a user; retrieving a token associated with the user in the second tenant of the second cloud; transmitting the token to the first tenant in the first cloud; receiving an authentication request from the first tenant in the first cloud; performing authentication of the cross-cloud relationship; transmitting authentication result data to the first tenant in the first cloud; receiving an authorization request from the first tenant in the first cloud; performing authorization of the cross-cloud relationship; and transmitting authorization result data to the first tenant in the first cloud. The token includes a tenant identifier, an application identifier, and a role setting associated with an administrator account. The first cloud includes a public cloud, and the second cloud includes a private cloud. The method further comprises launching operation of a virtual desktop in a virtual machine in the second tenant in the second cloud receiving a request for login into the virtual desktop; and displaying the virtual desktop associated with the virtual machine for interactively operating an application and accessing data resources in the second tenant in the second cloud. The mapping entry represents a cross-cloud relationship between the first tenant in a public cloud and the second tenant in a private cloud.

The description and illustration of one or more aspects provided in this application are not intended to limit or restrict the scope of the disclosure as claimed in any way. The claimed disclosure should not be construed as being limited to any aspect, for example, or detail provided in this application. Regardless of whether shown and described in combination or separately, the various features (both structural and methodological) are intended to be selectively included or omitted to produce an embodiment with a particular set of features. Having been provided with the description and illustration of the present application, one skilled in the art may envision variations, modifications, and alternate aspects falling within the spirit of the broader aspects of the general inventive concept embodied in this application that do not depart from the broader scope of the claimed disclosure.